PROS Holdings (PRO) Risk Analysis

If we are unable to provide enhancements and new features for our existing software solutions or new solutions that achieve market acceptance or to integrate technology, products and services that we acquire into our Platform, our business, revenues and other operating results could be significantly adversely affected. The success of enhancements, new features and modules depends on several factors, including the timely completion, introduction and market acceptance of the enhancements or new features or modules. We have experienced, and may experience in the future, delays in the planned release dates of enhancements to our Platform, and we have discovered, and may discover in the future, errors in new releases after their introduction. Either situation could result in adverse publicity, loss of sales, delay in market acceptance of our Platform or customer claims, including, among other things, warranty claims against us, any of which could cause us to lose existing customers or affect our ability to attract new customers. Furthermore, because our software solutions are intended to interoperate with a variety of third-party enterprise software solutions, we must continue to modify and enhance our software to keep pace with changes in such solutions. Any inability of our software to operate effectively with third-party software necessary to provide effective solutions to our customers could reduce the demand for our software solutions, result in customer dissatisfaction and limit our financial performance.

We have been and will continue to be a target for cybersecurity attacks because we store, process and transmit confidential, proprietary and other sensitive information for both our customers and our own operations. Despite our implementation of security measures and controls designed to prevent, mitigate, eliminate or alleviate known security vulnerabilities, our systems and those of third parties upon whom we rely have been and will continue to be subject to cybersecurity attacks designed to impede the performance of our products, penetrate our network or cloud platform security, our internal systems or that of our customers, misappropriate proprietary information or cause interruptions to our services. There are many cybersecurity threat actors, including cyber criminals with financial motives and sophisticated nation-state actors. Events have occurred and may occur in the future due to human error, fraud or malice on the part of employees, contractors or other third parties. Cybersecurity events can occur in many different forms, including data theft, data corruption, data loss, unauthorized access, mishandling of customer, employee and other confidential data, computer viruses, ransomware or malicious software programs or code, advanced persistent threat intrusions by inside actors, threat actors or other third parties, supply-chain attacks, social engineering attacks targeting our employees ("phishing"), fraud (including threat actors applying for employment to gain credentials), web application and infrastructure attacks, denial of service and other similar disruptive events (each a "Cybersecurity Event"). We use third-party and public-cloud infrastructure providers, such as Microsoft Azure, IBM, Amazon Web Services ("AWS") and others, and we are dependent on the security measures of those third parties to protect against Cybersecurity Events. We have experienced and may experience in the future Cybersecurity Events introduced through the tools and services we use. Our ability to monitor third-party service providers' data security is necessarily limited, and attackers may be able to circumvent our third-party service providers' data security measures. There have been and may be in the future significant attacks on certain third-party providers, and we cannot guarantee that our or our third-party providers' systems and networks have not been breached, or that they do not contain exploitable defects or bugs that could result in a breach of or disruption to our systems and networks or the systems and networks of third parties that support us and our Platform. In the normal course of our business, we experience Cybersecurity Events that, to date, we believe have been typical for a SaaS company of our size. However, despite implementing security measures, there is no guarantee of preventing or mitigating a Cybersecurity Event. Cybersecurity attacks have in the past, and may again in the future, impede the performance of our products, penetrate the security of our network, cloud platform and other internal systems, or that of our customers, misappropriate proprietary information or cause interruptions to our services. Given the novel and sophisticated ways that threat actors engage in cybersecurity attacks, the security measures implemented by us and by our third-party service providers cannot provide absolute security, and there can be no assurance that such security measures will be effective against current or future security threats. The scale and number of cybersecurity attacks continue to grow rapidly, and the methods and techniques used by threat actors change frequently, and may not be recognized until launched or for an extended period of time thereafter. These threats continue to evolve in sophistication and are difficult to detect and predict due to advances in electronic warfare techniques and AI, new discoveries in the field of cryptography and new and sophisticated methods used by criminals. Cybersecurity attacks have become more prevalent against SaaS companies generally, have increased as more individuals work remotely and have also increased due to political uncertainty and geopolitical and regional conflicts. As a result, we and our third-party service providers are subject to heightened risks of Cybersecurity Events from nation-state actors or other third parties leveraging tools originating from nation-state actors, and potentially exposing us to new complex threats. We may be unable to anticipate these techniques or implement adequate preventative or remediation measures in a timely manner, if at all, even when a vulnerability is known. We and our third-party providers may not be able to address vulnerabilities prior to experiencing a Cybersecurity Event. We may incur significant costs and liability in the event of a breach. We may also be required to, or find it appropriate to, expend substantial capital and other resources to remediate or otherwise respond to problems caused by any actual or perceived breaches or Cybersecurity Events. Cybersecurity Events impacting us or our service providers have in the past, and could in the future, result in interruptions and delays in certain services. These incidents and interruptions could lead to cessation of service and loss of existing or potential customers, loss of confidence in the security of our solutions and services, damage to our reputation, negative impact to our future sales, disruption of our business, increases to our information security costs, unauthorized access to, and theft, loss or disclosure of, our and our customers' proprietary and confidential information (including personal data), litigation, governmental investigations and enforcement actions (including fines or other actions), increased stock price volatility, significant costs related to indemnity obligations, legal liability and other expenses, and material harm to our business, financial condition, cash flows and results of operations. For example, in the event of a ransomware attack, it could be difficult to recover services that are the subject of the ransomware attack and there can be no guarantee as to the timing or completeness of any such recovery. These costs may include liability for stolen assets or information, remediation of system damage, incentives offered to customers or other business partners in an effort to maintain business relationships after a breach, and other costs, expenses and liabilities. We cannot ensure that our commercial insurance will be available or sufficient to compensate us for all costs we may incur as a result of a Cybersecurity Event, and if we made significant insurance claims, our ability to obtain comparable insurance in the future may be impaired or only available at significantly increased cost. There can be no assurance that future Cybersecurity Events will not be material to our business operations, financial condition, cash flows and results of operations.

The markets for enterprise software applications for pricing optimization and management, CPQ, airline revenue optimization, airline distribution and retail, and digital offer marketing are competitive, fragmented and rapidly evolving. We expect additional competition from other established and emerging companies as the markets in which we compete continue to develop and expand, as well as through industry consolidation, including through a merger or partnership of two or more of our competitors or the acquisition of a competitor by a larger company. For example, the introduction of new AI platforms and applications by competitors or the development of entirely new technologies to replace existing software offerings could negatively impact demand for our Platform. Some of our current and potential competitors may have larger installed bases of users, longer operating histories, broader distribution, greater name recognition, a broader suite of product offerings, and have significantly greater resources than we have. As a result, these companies may be able to respond more quickly to new or emerging technologies and changes in customer demands, and devote greater resources to the development, promotion and sale of their products. Competition could seriously impede our ability to sell our software solutions and services on terms favorable to us or at all. Our current and potential competitors may develop and market new technologies that render our existing or future solutions obsolete, unmarketable or less competitive. In addition, if these competitors develop solutions with similar or superior functionality to our solutions, or if they offer solutions with similar functionality at substantially lower prices than our solutions, we may need to decrease the prices for our solutions in order to remain competitive. In addition, our competitors have and may in the future, offer their products and services at a lower price, or offer price concessions, delayed payment terms, or provide financing or other terms and conditions that are more enticing to potential customers. For example, technology advancements in AI that drive material improvements in operating efficiency may allow competitors to further compete with us on price. If we are unable to maintain our current pricing due to competitive pressures, our margins could be reduced and our operating results could be adversely affected. If we do not compete successfully against current or future competitors, competitive pressures could materially and adversely affect our business, financial condition, cash flows and operating results.

Our cloud products are dependent upon third-party hardware, software and cloud hosting vendors, including Microsoft Azure, IBM Softlayer and AWS, many of which must interoperate for end users to achieve their computing goals. We utilize third-party data center hosting facilities, cloud platform providers and other service providers to host and deliver our subscription services as well as for our own business operations. We host our cloud products from data centers in a variety of countries. While we control and generally have exclusive access to our servers and all of the components of our network that are located in our external data centers, we do not control the operation of these facilities and they are vulnerable to damage or interruption from hurricanes, earthquakes, floods, fires, power loss, telecommunications and human failures and similar events. They may also be subject to Cybersecurity Events, break-ins, sabotage, intentional acts of vandalism and similar misconduct. Despite our failover capabilities, standard protocols and other precautions, the occurrence of a natural disaster or an act of terrorism, a decision to close the facilities without adequate notice or other unanticipated problems at these facilities could result in lengthy interruptions in our service. In addition, disruptions to the hardware supply chain necessary to maintain these third-party systems or to run our business could impact our service availability and performance. These providers have no obligation to renew their agreements with us on commercially reasonable terms, or at all. If we are unable to renew these agreements on commercially reasonable terms or at all, or if one of our data center operators is acquired, we may be required to transfer our servers and other infrastructure to new data center facilities, and we may incur significant costs and possible service interruption in connection with doing so. Certain of our applications are essential to our customers' ability to quote, price, and/or sell their products and services. Interruption in our service may affect the availability, accuracy or timeliness of quotes, pricing or other information and could require us to issue service credits to our customers, damage our reputation, cause our customers to terminate their use of our solutions, require us to indemnify our customers against certain losses, and prevent us from gaining additional business from current or future customers. In addition, certain of our applications require access to our customers' data which may be held by third parties, some of whom are, or may become, our competitors. For example, many of our travel industry products rely upon access to airline data held by large airline IT providers which compete against certain of our airline products. Certain of these competitors have in the past, and may again in the future, make it difficult for our airline customers to access their data in a timely and/or cost-effective manner. Any disruption from our third-party data center, software, data or other service providers could impair the delivery of our service and negatively affect our business, damage our reputation, negatively impact our future sales and/or cash flows and lead to legal liability and other costs.

Our operating results may vary based on the impact of changes in the global economy or conditions in the industries we serve. General macroeconomic conditions impacted by inflation, increased cost of capital, supply chain disruptions, fluctuations in currency exchange rates, and recession risks in major economies, and geopolitics, including armed conflicts, affect the business climate in which we operate. Inflation has resulted in, and may continue to result in, higher interest rates and capital costs, shipping costs, supply shortages, increased costs of labor, weakening exchange rates and other similar effects. Deterioration in the economy, regardless of causes, can negatively impact demand for our solutions and make it difficult to accurately forecast and plan our future business activities. Geopolitical tension and armed conflicts, including the Russia-Ukraine war and hostilities in the Middle East, have had, and continue to have, an adverse impact on the global economy, including supply chain disruptions, inflation and capital and commodity markets volatility. In addition, the expansion of tariffs on goods imported into the U.S., as well as responsive or related policies enacted in other countries, could negatively impact various international trading relationships, economies, inflation, and labor and currency markets. All of these risks and conditions could harm our future sales, business and operating results. Our business and operations could also be harmed and our costs could increase if our or our customers' or other partners' manufacturing, logistics or other operations, costs or financial performance are disrupted or adversely affected. While the ultimate scope and broader impact of the ongoing Russia-Ukraine and Middle East conflicts cannot be predicted, they have not had a material impact to date on our business or ability to operate. However, if these conflicts or other geopolitical tensions spark additional regional or wider conflicts, then additional risks may manifest themselves, including general geopolitical unrest, broader economic uncertainty, turmoil in certain financial markets, instability in the financial system, disruption to domestic and international travel, displacement of persons, disruption of supply chains, further inflation, increased cybersecurity threats and attacks, the possibility of military activity or risk of wider war. Weakening economic conditions, regardless of the causes, have previously and could again adversely affect our prospects' and customers' buying behavior, including slower or reduced technology spending, decreasing customers' ability or willingness to purchase or continue to use our solutions, reducing the value, scope or duration of subscription contracts, or limiting their ability to pay amounts owed, all of which would adversely affect our operating results. Prolonged economic uncertainties relating to macroeconomic trends could limit our ability to grow our business and negatively affect our operating results. We have experienced, and expect to continue to experience, increased operational and capital costs due to inflation. While the inflation rate eased in 2024, absolute costs remain elevated in certain markets. In response to ongoing inflationary concerns, the U.S. Federal Reserve and other central banks may, in 2025, delay further rate cuts or raise interest rates. As a result, market interest rates remain high and could rise further, increasing borrowing costs for us and our customers. Inflation and higher than recently historical interest rates could negatively impact our business if we are unable to achieve commensurate increases in the prices we charge our customers. Although we have taken measures to mitigate the impact of inflation and increased interest rates, if these measures do not continue to be effective, our business, financial condition, results of operations, cash flow, and liquidity could be materially adversely affected. Even if such measures are effective, there could be a difference between the timing of when these beneficial actions impact our results of operations and when the cost of inflation is incurred.

The majority of our revenues are derived from our customers outside the U.S. While the majority of our sales are denominated in U.S. dollars, the majority of our international operations expenses are denominated in local currencies. To date, we have not used risk management techniques or "hedged" the risks associated with fluctuations in foreign currency exchange rates. Consequently, our results of operations, cash flows and financial condition, including our revenue and operating margins, can be subject to losses from fluctuations in foreign currency exchange rates, as well as regulatory, political, social and economic developments or instability in the foreign jurisdictions in which we operate. For additional financial information about geographic areas, see Note 17 of the Notes to the Consolidated Financial Statements. Our operations outside the U.S. are subject to risks inherent in doing business internationally, requiring resources and management attention, and may subject us to new or larger levels of operational, regulatory, economic, foreign currency exchange, tax and political risks. In addition to our operations in the U.S., we have employees and operations in international locales, including in Europe, the Middle East, Latin America and Asia/Australia. We expect our international operations and the geographic footprint of our workforce to continue to grow. We face a wide variety of risks with respect to our international operations, including: - geopolitical and economic conditions in various parts of the world, including conflicts impacting travel and regional stability, supply chain and labor market disruptions, inflation, currency exchange and interest rate fluctuations and recession;- sustained disruption to domestic or international travel for any reason, including conflicts, outbreaks of contagious disease, as well as any other disrupting events;- the difficulty of managing and staffing our international operations and the increased travel, infrastructure and legal compliance costs associated with multiple international locations;- operational and organizational challenges with a more geographically dispersed workforce, including communication and remote management challenges, coordination and collaboration issues, cultural differences, knowledge management and transfer gaps, and other unforeseen costs;- differing labor and employment regulations, especially where labor laws are generally more advantageous to employees as compared to the U.S.;- compliance with multiple, conflicting, ambiguous, complex or evolving governmental laws and regulations, including privacy, data security, anti-corruption, import/export, antitrust and industry-specific laws and regulations and our ability to identify and respond timely to compliance issues when they occur;- vetting and monitoring our third-party business partners in new and evolving markets to confirm they maintain standards consistent with our brand and reputation;- less favorable intellectual property laws;- availability of sufficient network connectivity required for certain of our products; and - difficulties in enforcing contracts and collecting accounts receivable, especially in developing countries. As we continue to expand our business globally, our success depends, in large part, on our ability to anticipate and effectively manage these and other risks associated with our international operations. Our failure to manage any of these risks successfully could harm our international operations and reduce our international sales, adversely affecting our business, operating results, financial condition and cash flows.

We are a global company headquartered in Houston, Texas with significant operations in Sofia, Bulgaria and personnel and operations in other U.S. and international locations. We rely on our network infrastructure, third-party systems, and enterprise applications to support our sales, marketing, development, services, operational support and hosted services. Disruptions to these systems due to catastrophic events, including hurricanes, earthquakes, fires, floods, extreme weather events, power outages, telecommunications failures, software or hardware malfunctions, pandemics, war, terrorist attacks or other significant events, could adversely affect our operations. While no such historical event has been material to our business, we have experienced, and could experience in the future, temporary disruptions from such events. Although we maintain business continuity and disaster recovery plans, if these plans and our execution of them fail to adequately address or properly anticipate an actual event, such event could lead to reputational harm, loss of intellectual property, delays in our product development, lengthy interruptions in our services, breaches of data security and loss of critical data. Any of these events could prevent us from fulfilling our customer obligations or could negatively impact a country or region in which we sell our products, which could in turn decrease that country's or region's demand for our products. Even though we carry business interruption insurance and typically have provisions in our contracts that protect us in certain events, we might suffer losses from business interruptions that exceed the coverage under our insurance policies or for which we do not have coverage. Any natural disaster or other catastrophic event could create a negative perception in the marketplace, delay our product innovations, or lead to lengthy interruptions in our services, breaches of data security and losses of critical data, all of which could have an adverse effect on our operating results.

We provide our cloud software solutions globally and our operations are subject to complex and evolving laws and regulations, including those related to data privacy, data localization, data security, labor and employment, AI, import/export, competition, antitrust and consumer protection. Compliance with these laws and regulations, which are subject to frequent changes, is onerous, expensive, and time consuming. In addition, these laws and regulations may be inconsistent across jurisdictions and are subject to differing, and sometimes conflicting, interpretations and enforcement priorities. Although we have implemented policies, procedures and controls designed to ensure compliance with applicable laws, there can be no assurance that our employees, contractors or agents will not violate such laws and regulations or our policies and procedures. If we are found to have violated laws and regulations, it could materially adversely affect our business, reputation, results of operations, cash flow, and financial condition. Regulatory changes have in the past, and may in the future be announced with little or no advance notice, and we may not be able to effectively mitigate all adverse impacts from such measures. Our cloud software solutions process data on behalf of our customers, and if our customers fail to comply with contractual obligations or applicable laws and regulations, such non-compliance could result in litigation or reputational harm to us. Any perceived inability to adequately address privacy, data localization or cybersecurity compliance or to comply with other complex laws and regulations, even if unfounded, could result in liability to us and indemnification obligations, damage our reputation, inhibit sales of our solutions or harm our business, financial condition, results of operations and cash flows. Evolving laws and changing interpretations and enforcement priorities of existing laws and regulations by regulators and courts have in the past, and may continue to create new compliance obligations, increase our costs to provide our products and services, adversely affect our sales cycles, affect our ability to implement business models effectively, limit us from offering certain solutions in certain jurisdictions or circumstances, and expand the scope of potential liability, either jointly or severally with our customers, partners and suppliers. For example, evolving laws and regulations that dictate whether, how, and under what circumstances we can transfer, process and receive personal data have in the past, and may in the future increase our costs and operational risks. While AI regulation is in the nascent stages of development globally, the evolving AI regulatory environment may adversely impact our sales cycle times, increase our research and development costs, and increase our liability related to the use of AI that are beyond our control or result in inconsistencies in evolving legal frameworks across jurisdictions. While we believe we have taken a responsible approach to the development and use of AI in our solutions and across the business, there can be no guarantee that future AI regulations will not adversely impact us or conflict with our approach to AI, including affecting our ability to make our solutions available without costly changes, requiring us to change our AI development practices, business strategies and/or indemnity protections and subjecting us to additional compliance requirements, regulatory action, competitive harm or legal liability. If the use of AI within certain of our solutions were to be significantly restricted or otherwise prohibited by future legislation or regulation, we may not be able to effectively compete with competitors who do not use AI in their solutions. If jurisdictions implement more restrictive or onerous regulations, such developments could adversely impact our business, financial condition, cash flows and results of operations.